Month: March 2018

If you are interested in virtual reality, you surely know that the buzzword of 2018 is “standalone.” All the major VR companies are betting on standalone VR devices: HTC Vive China president Alvin Wang Graylin announced in a recent interview that his goal for 2018 is to see standalone devices becoming successful and Oculus’ Hugo Barra has expressed a similar opinion.

But what are standalone VR devices? And why do all of these important people believe in them? Let me answer these questions for you.

What is a standalone VR device?
The typical virtual reality headset can come in two flavors:

• Connected to a PC for an expensive, high performance experience (e.g. Oculus Rift and HTC Vive);
• Integrated with your mobile phone for a cheap, low quality experience (e.g. Gear VR and Daydream).

Figure 1 Oculus Go standalone headset (Image credit: Oculus)

Standalone VR sits somewhere in the middle between these two extremes: it is a good quality experience, for an affordable price. But its peculiarity is that standalone VR headsets do not require anything else to work: they don’t need a phone or a PC; they work out of the box. A standalone device is similar to a mobile VR headset, but it already includes all the required electronical parts, it already embeds the display, the processing power and all the other hardware inside. It is a computer on its own.

Figure 2 Vive Focus device (Image credit: HTC Vive)

This means that the user can buy it, unbox it and then put it on his/her head to start living VR experiences immediately.

Why are all the companies betting on them?
Standalones offer a lot of clear advantages over the other available VR devices:

• They are affordable. A standalone VR headset costs less than a Samsung phone plus GearVR or than an Oculus Rift plus VR-ready PC. Some standalones are really cheap: the upcoming Oculus Go, for instance, will cost only US $200, and this will let a lot of people afford entering virtual reality;
• They are easy to use. They don’t require setups of any kind. Every person can use them, even without technological expertise. The user just has to just put the device on his/her head. This means that virtual reality may exit the techie realm and enter into the consumers domain;
• They are handy. It is very easy to carry a headset with you by just putting it in your backpack;
• They come in various flavors, like:
  • very cheap standalone devices, such as the Oculus Go and Pico Goblin, that offer a very basic experience;
  • more expensive devices that let the user move inside virtual reality, like the Vive Focus and Lenovo Mirage Solo;
  • Oculus Santa Cruz and Pico Neo that offer an expensive experience but with the ability to move and interact within the virtual world.

In my previous post, I highlighted how price and ease of use are two of the pain points of virtual reality. Standalone devices can solve both. They can make virtual reality mainstream and can be the key to eventually get 1 billion people in virtual reality, as Mark Zuckerberg wants. That’s why always more companies are betting on this form factor.

But …
There’s a big issue that I want to highlight: in the very short term, standalones are VR-only devices, so they require people to spend money just to experience virtual reality. But the general consumer still doesn’t understand the purpose of VR and, in fact, a lot of free Cardboards and Gear VRs gather dust on the shelves. This means that the various manufacturers will have to convince people why they need to spend money to have VR.

Standalone devices will be important for VR widespread diffusion. But, as you can see, the road to mainstream adoption is still long.

Antony Vitillo, AR/VR Consultant and Blogger

[ISACA Now Blog]

Articles 37 and 38 of the General Data Protection Regulation (GDPR) provide information on the principles and impartiality of the critical data protection officer (DPO) role, specifying the high-level rules on what can and can’t be done. But like most of the GDPR, it leaves wide open the interpretation of the how and when it is appropriate to have a DPO.

Article 29 Working Party has provided much-needed guidance on this subject, and we have been told which roles can’t hold DPO responsibilities (such as the CEO and Marketing Director, due to potential conflicts of interest). However, it does not address the first question on every organization’s lips: “Do I need to appoint an independent DPO in the first place, and if yes, when?”

The answer lies in the organization itself, or more specifically, the types of data processing activities it undertakes. For example, if you process large quantities of EU personal data (such as a small US-based web profiling firm that tracks IP addresses or web cookies for a French utility website to provide customer website stickiness), or if you hold sensitive personal records like medical histories, then your organization qualifies under GDPR rules and you therefore need to allocate someone to manage the DPO responsibilities (note: the DPO does not necessarily have to be directly employed by the organization, just qualified to hold the role).

Like the applicability of GDPR itself, the DPO role is not dependent upon number of staff or size of turnover, which is why many of the UK’s 5.7 million small-to-medium sized organizations qualify for GDPR (55 million across the EU), and why so many other organizations around the world that provide services into Europe are busy preparing themselves for GDPR compliance. This makes GDPR a truly global regulation and its implications far-reaching. For example, if as an EU citizen I wanted to exercise my rights under GDPR with an organization based in Delhi, then I’m entitled to this right (assuming my personal data is processed there), and the organization has to uphold my request.

Depending upon the size of your organization and the level of processing activities you undertake, you may choose to nominate an individual with responsibility, split the responsibilities among different roles, or even outsource the role externally. However, the only stipulation is that the DPO must be truly independent and understand the systems and processes involving personal data and/or deliver services to EU citizens and, crucially, be qualified or experienced in data protection. This is obvious when you consider the unique nature of advice given and the difficulty in interpretation of the GDPR rule book. It also precludes the role being held by a lawyer; as important it is to understand the law, it is equally important to be able to implement the law within your organization.

So, every DPO has rather a difficult job to do. DPOs need to understand the implications of the law within your organization, uphold the rights of individuals and provide careful advice surrounding the implementation of the rules. Get this wrong, and you could end up in court or face huge financial penalties. Of course, this is naturally dependent upon how much data you are processing or perhaps the risks your systems face from its daily processing activities. In other words, if your systems for processing data are complicated and stretch back to the Doomsday book – you have a lot of work to do. Conversely, if you process small amounts of EU personal data, then the impact of GDPR is nominal. The key to appointing your DPO is choosing an individual who understands law, security and privacy risk. You need someone who can determine the difference between a business decision and a true privacy/security risk (e.g., consent, rights or data encryption), and has the ability to make crucial judgements on what could attract unwanted regulator attention or cost the business in loss of trade or a missed opportunity.

The key to this role, then, not only lies in finding a knowledgeable, balanced individual who is sensible under pressure, but also an individual who understands the principles of privacy and security, can act with integrity to protect the rights of an individual, and preferably can advise on protecting personal data to avoid any harm to that individual.

Above all, whether you outsource, co-source or hire a DPO (or contactor), my strong advice is you pick someone who understands GDPR, risk and controls, and has experience in implementing mechanisms that will allow your organization to make appropriate and proportionate risk assessments (think privacy by design), and realistic recommendations that will balance the cost of compliance in doing business against the cost of growing the business.

Good luck in your search, and take your time to find the right solution for your organization.

Editor’s note: For more ISACA resources on GDPR, visit www.isaca.org/gdpr.

Steve Wright, Data Privacy & Information Security Officer, John Lewis Partnership

[ISACA Now Blog]